Answers to the most frequently searched compliance questions across FCRA, FDCPA, TCPA, HIPAA, AI governance, FMCSA, FINRA/SEC, and federal regulatory law. Updated April 2026 by Mike Reeves, Editor, ComplianceJournal.news.

FCRA — Fair Credit Reporting Act

What is the FCRA adverse action process?

When an employer intends to take adverse action based on a consumer report — declining to hire, failing to promote, reassigning, or terminating — two steps are required under 15 U.S.C. § 1681b.

Step 1 — Pre-adverse action. Before making the final decision, provide the applicant with a copy of the consumer report, the FTC's Summary of Consumer Rights under the FCRA, and written notice that adverse action is being considered. Give at least five business days for the applicant to review and dispute inaccuracies. This waiting period is not specified by the statute but is established by litigation outcomes and compliance guidance.

Step 2 — Final adverse action. After the waiting period, if you proceed, send a final adverse action notice identifying the consumer reporting agency that provided the report, including the CRA's contact information, stating that the CRA did not make the adverse decision and cannot explain it, and informing the applicant of their right to dispute the report within 60 days.

What does FCRA compliant background check mean?

An FCRA compliant background check means the employer used a certified consumer reporting agency, provided a standalone written disclosure before ordering the check, obtained written authorization from the applicant before screening began, followed the two-step adverse action process if the check revealed negative information, and gave the applicant an opportunity to dispute inaccuracies before making a final adverse decision.

What is the standalone disclosure requirement?

The FCRA requires that the written disclosure informing an applicant that a consumer report will be obtained consist solely of the disclosure — it cannot be combined with a job application, employment agreement, liability waiver, or any other document. Courts have repeatedly found FCRA violations where disclosure forms were embedded in applications or bundled with other materials. The standalone requirement is strictly enforced and is a frequent source of class action liability.

What is the Date of First Delinquency and why does it matter?

The Date of First Delinquency (DOFD) is the date a consumer first became delinquent on an account that was later charged off or placed for collection. It starts the seven-year clock for negative information to appear on a credit report under § 1681c(c). Furnishers must report the DOFD accurately — inflating it to extend the reporting period or deflating it for any reason violates the FCRA. DOFD errors are among the most litigated FCRA issues between consumers and furnishers.

When does a furnisher's § 1681s-2(b) investigation duty trigger?

A furnisher's investigation duty under § 1681s-2(b) triggers when a consumer reporting agency notifies the furnisher of a dispute — not when the consumer disputes directly to the furnisher. Direct consumer disputes to furnishers are governed by Regulation V but do not create a private right of action under § 1681s-2(b). This distinction is frequently litigated and determines whether a consumer can sue the furnisher in court.

What is the FCRA file disclosure fee for 2026?

The maximum fee for a consumer file disclosure from a consumer reporting agency is $16 for 2026, up from $15.50 in 2025. This fee applies to paid disclosures — consumers remain entitled to free weekly file disclosures through AnnualCreditReport.com from Equifax, Experian, and TransUnion.

FDCPA — Fair Debt Collection Practices Act

What is a validation notice under the FDCPA?

A validation notice is a written notice a debt collector must send within five days of their first communication with a consumer. It must state: the amount of the debt; the name of the creditor to whom the debt is owed; that the consumer has 30 days to dispute the debt in writing; that the collector will verify the debt if disputed within 30 days; and that upon written request within 30 days, the collector will provide the name and address of the original creditor if different from the current creditor. Defects in validation notices are among the most common sources of FDCPA class action liability.

Does the FDCPA apply to original creditors?

No. The FDCPA applies to debt collectors — third parties who regularly collect debts owed to others. Original creditors collecting their own debts are exempt from the FDCPA under the creditor exception codified at 15 U.S.C. § 1692a(6). However, state laws frequently fill this gap. New York's GBL Article 29-H, California's Rosenthal Act, and other state statutes apply to original creditors collecting consumer debts.

What is the FDCPA 7-7-7 rule?

The 7-7-7 rule, established by CFPB's Regulation F, limits debt collectors to seven telephone calls within any seven-day period per debt and prohibits calling within seven days after having a telephone conversation with the consumer about the debt. The rule applies to telephone calls specifically — not to emails or text messages, which have separate communication frequency considerations.

What happens when a consumer sends a cease-and-desist letter?

When a consumer notifies a debt collector in writing to cease communications, the collector must stop all further communications with the consumer except to notify the consumer that collection activities are being terminated, to notify the consumer that the collector may invoke specified remedies, or to notify the consumer that the collector intends to take specific action. Continuing to contact a consumer after receiving a cease-and-desist letter is an FDCPA violation that can result in statutory damages plus attorney's fees.

Can a debt collector add fees or interest not in the original contract?

No. Section 1692f(1) prohibits collecting any amount — including interest, fees, charges, or expenses — unless the amount is expressly authorized by the agreement creating the debt or permitted by law. Adding fees or interest that the underlying agreement does not authorize and that no applicable state statute permits is an FDCPA violation that can support class action claims when applied systematically through form collection letters.

TCPA — Telephone Consumer Protection Act

Prior express written consent for TCPA purposes is a signed written agreement that clearly authorizes a specific company to deliver or cause to be delivered to the consumer's telephone number advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice. The authorization must include the phone number to which consent applies and cannot be a condition of purchasing goods or services. A generic terms-of-service checkbox bundled with other consents is almost certainly insufficient.

How long does a business have to honor a TCPA opt-out?

Under the FCC's April 2025 consent revocation rules, businesses must honor opt-out requests within 10 business days. Consumers may revoke consent using any reasonable method that clearly expresses a desire not to receive further communications. Businesses cannot designate an exclusive revocation channel. After a consumer opts out via text, one confirmation text may be sent within 5 minutes — no further marketing or informational texts may follow.

What is the TCPA quiet hours rule?

The TCPA prohibits telemarketing calls and texts before 8 a.m. or after 9 p.m. in the recipient's local time zone. This applies based on where the consumer is located, not where the caller is located. A 6 a.m. Eastern time zone campaign send reaches Mountain recipients at 5 a.m. and Pacific recipients at 3 a.m. — clear violations. Send-time optimization tools must be configured with recipient time zone compliance logic.

What are TCPA statutory damages?

TCPA statutory damages are $500 per violation for negligent violations and $1,500 per violation for willful or knowing violations. Courts may also award actual damages if greater. The per-call or per-text structure makes TCPA class actions economically powerful — a campaign contacting 10,000 non-consenting numbers generates $5 million to $15 million in potential exposure before a plaintiff's attorney files their first motion.

How often must businesses scrub against the National Do Not Call Registry?

Telemarketers must scrub calling lists against the National Do Not Call Registry at least every 31 days. The 31-day window is the safe harbor. Businesses that scrub more frequently — weekly, before each campaign — have stronger documentation. Scrub records must be maintained for at least 24 months.

What state mini-TCPA laws apply in 2026?

Florida limits businesses to three call attempts per day per number between 8 a.m. and 8 p.m. Texas SB 140, effective September 1, 2025, extended "telephone solicitation" to text messages and created a private right of action under the Texas Deceptive Trade Practices Act. Virginia SB 1339, effective January 1, 2026, requires honoring STOP requests for 10 years. Maryland, Oklahoma, and other states have enacted or are considering their own mini-TCPA laws.

AI Governance — TRAIGA and Colorado AI Act

What is TRAIGA?

TRAIGA — the Texas Responsible AI Governance Act — is a Texas state law that took effect January 1, 2026. It applies to any business that deploys a high-risk AI system in a consequential decision affecting a Texas resident. It is enforced exclusively by the Texas Attorney General with penalties up to $200,000 per uncurable violation. The NIST AI RMF safe harbor provides an affirmative defense for businesses with documented NIST alignment.

When does the Colorado AI Act take effect?

June 30, 2026. The Colorado Artificial Intelligence Act (SB 24-205) takes effect June 30, 2026 — approximately 65 days from the date of this article. It requires annual impact assessments for each high-risk AI system, consumer disclosures, a meaningful appeal process and human review right, and a written AI risk management policy. Enforcement is by the Colorado AG only.

Does using Indeed, Checkr, or Workday make my business subject to AI laws?

Yes. Every employer using Indeed, Checkr, Sterling, Workday, LinkedIn Recruiter, ZipRecruiter, or similar AI-powered platforms in hiring decisions is a deployer under TRAIGA and potentially Colorado's AI Act. Every landlord using TransUnion SmartMove, RentSpree, or similar AI-assisted tenant screening is a deployer. Compliance requires sending formal documentation requests to each vendor, implementing human review of AI outputs, and maintaining a dated compliance file.

What is the NIST AI RMF safe harbor?

The NIST AI Risk Management Framework safe harbor under TRAIGA means that substantial compliance with the NIST AI RMF — documented alignment with its Govern, Map, Measure, and Manage functions — serves as an affirmative defense against TRAIGA enforcement actions. Colorado's AI Act also references NIST AI RMF as a recognized standard supporting the rebuttable presumption of reasonable care.

What is an AI impact assessment under Colorado law?

An impact assessment under Colorado's AI Act is a documented analysis of each high-risk AI system a deployer uses. It must cover the system's purpose, data inputs, known discrimination risks, mitigation measures, and human oversight protocols. A separate assessment is required for each AI system. Assessments must be updated annually and when systems change materially. A business using five AI-powered platforms needs five separate, annually updated impact assessments.

Will federal law preempt state AI laws?

As of April 2026, no. Congress voted 99 to 1 to reject a 10-year state AI law moratorium. Congress also rejected preemption in the 2025 National Defense Authorization Act. A December 2025 executive order directing the DOJ to challenge state AI laws cannot preempt state law without Congressional action. TRAIGA is in effect. Colorado's AI Act takes effect June 30. Building compliance now is the correct response.

HIPAA — Health Insurance Portability and Accountability Act

What is a HIPAA breach?

A HIPAA breach is the acquisition, access, use, or disclosure of protected health information that is not permitted under the Privacy Rule and that compromises the security or privacy of the PHI. Not every impermissible disclosure is reportable — the HIPAA Breach Notification Rule allows a four-factor risk assessment to evaluate notification obligations. However, HHS OCR and the FTC have treated disclosures of patient health data to advertising pixels and analytics platforms as reportable breaches.

What does the minimum necessary standard require for AI clinical tools?

The HIPAA minimum necessary standard (45 C.F.R. § 164.514(d)) requires covered entities to limit PHI use to what is genuinely necessary for the intended purpose. AI clinical tools that analyze complete patient records raise minimum necessary questions — a predictive readmission model may need comprehensive data, but whether that comprehensive access is the minimum necessary depends on how the clinical purpose is defined. HHS OCR has identified AI clinical tools as a 2026 enforcement priority and minimum necessary compliance as an area of examination focus.

What is a HIPAA Business Associate Agreement?

A HIPAA Business Associate Agreement is a contract between a covered entity and a business associate — a vendor that receives PHI in the course of performing services — that specifies how the business associate may use and protect PHI. BAAs are required for every vendor relationship involving PHI. AI clinical tool vendors, telehealth platforms, and cloud storage providers that handle patient data must have compliant BAAs in place. BAAs for AI vendors should specifically address training data use, model improvement, and minimum necessary compliance.

FMCSA — Transportation and Trucking Compliance

What is an FMCSA ELD?

An Electronic Logging Device is an FMCSA-certified device that automatically records a commercial motor vehicle driver's hours of service. The ELD mandate has been in effect since December 2019. FMCSA periodically revokes approval for non-compliant devices — carriers must verify their ELD remains on the approved list and replace revoked devices promptly. Drivers using revoked ELDs after the compliance deadline face HOS violations and potential out-of-service orders at roadside.

What does the FMCSA Drug and Alcohol Clearinghouse require?

Motor carriers must query the Clearinghouse before hiring any CDL driver and conduct annual queries on all employed CDL drivers. A driver with an unresolved drug or alcohol violation cannot operate a commercial motor vehicle. Carriers that skip pre-employment queries and then have an at-fault accident face negligent hiring exposure in addition to FMCSA regulatory penalties. More than 7,000 Clearinghouse violations were identified in 2025 — the overwhelming majority for missed pre-employment or annual queries.

FINRA and SEC — Financial Services Compliance

What is FINRA Rule 4370?

FINRA Rule 4370 requires member firms to create and maintain a written Business Continuity Plan identifying procedures for responding to significant business disruptions. BCPs must be reviewed annually and must accurately reflect current operations — including current technology systems, remote work infrastructure, and third-party vendor dependencies. FINRA is currently conducting an examination sweep focused on whether BCPs reflect actual operational reality rather than pre-pandemic assumptions.

What does the SEC cybersecurity disclosure rule require?

The SEC's cybersecurity disclosure rules, now fully effective for all public companies including smaller reporting companies, require disclosure of material cybersecurity incidents on Form 8-K within four business days of determining materiality, and annual 10-K disclosures describing cybersecurity risk management programs and board oversight of cybersecurity. The four-business-day materiality determination clock requires a defined, pre-established incident response process — companies that have not rehearsed the disclosure process will find it much harder than anticipated during an actual incident.

This FAQ is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a licensed attorney. ComplianceJournal.news is an independent publication. Content current as of April 2026.